[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: crypto for porno users


> Strong authentication via crypto does not create a trusted group.  Trust is
> a human:human decision -- subject to severe flaws, none of which are solved
> by crypto.  [Can you devise a crypto protocol which will prevent or even
> just detect adultery, for example?]  With each additional person, there is
> a probability of deception.  For this informal network of yours, deception
> by any one participant constitutes a security failure.  If you want to
> avoid that, therefore, you need to keep the group *very small*.  If it's
> that small, then it's not that interesting a target for LE.

Very true.  Authentication, whether strong or weak, merely says that you are who you say you are -
totally different from this "web of trust" I keep hearing about - and that is *it*.  Do you trust me
any more now than before I started signing my postings? 

> Ah -- but that's the point I was making.  Crypto gives the appearance of
> security -- whether it's in the informal network or with file storage.
> It's often a bank vault door on a cardboard house.  For much of what people
> do, especially if there's a large net, it's not rational to expect to
> achieve security.  But -- if people have done something to achieve
> security, they're likely to be fooled into trusting it to be adequate.
> Meanwhile, if *everything* on the perp's machine is encrypted, you're
> probably in good shape.  That means he'll be required to type passwords too
> often -- so he'll either pick a small one or have some machinery which
> stores the password.  Both give cryptanalytic advantages.

It's well-known that most revelations of encrypted information come from "humint", not from 
mathematical finesse with the encryption scheme.  I especially love Oracle's idea of security - when 
submitting SQL to the Oracle back-end, to automate the process, you feed it your user ID and 
password IN THE CLEAR, ON THE COMMAND LINE.  Any weenie can run "ps -ef/ps -ax" and pipe it to 
grep.  The fact that Larry Ellison wont do anything about it seems to me to be idiocy of the first 
order, and that Oracle doesn't know what it's doing.  It's not even a good database product.  Deity 
only knows why people keep buying it, although that's rather off-topic ;)
- --
Ed Carp, N7EKG    			[email protected], [email protected]
					214/993-3935	voicemail/pager
Finger [email protected] for PGP 2.5 public key		[email protected]

Q.	What's the trouble with writing an MS-DOS program to emulate Clinton?
A.	Figuring out what to do with the other 639K of memory.

Version: 2.6.2